App Tiers Affected:

At the most fundamental level, IT security is about protecting things that are of value to an organization. That generally includes people, property, and data—in other words, the organization’s assets.

Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.

Control Objectives First…

Security controls are not chosen or implemented arbitrarily. They typically flow out of an organization’s risk management process, which begins with defining the overall IT security strategy, then goals. This is followed by defining specific control objectives—statements about how the organization plans to effectively manage risk. For example, “Our controls provide reasonable assurance that physical and logical access to databases and data records is restricted to authorized users” is a control objective. “Our controls provide reasonable assurance that critical systems and infrastructure are available and fully functional as scheduled” is another example.

…Then Security Controls

Once an organization defines control objectives, it can assess the risk to individual assets and then choose the most appropriate security controls to put in place. One of the easiest and most straightforward models for classifying controls is by type: physical, technical, or administrative, and by function: preventative, detective, and corrective.

Technicalcontrols (also known as logical controls) include hardware or software mechanisms used to protect assets. Some common examples are authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures.

Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization's security goals. These can apply to employee hiring and termination, equipment and Internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls.

Control Functions

Preventativecontrols describe any security measure that’s designed to stop unwanted or unauthorized activity from occurring. Examples include physical controls such as fences, locks, and alarm systems; technical controls such as antivirus software, firewalls, and IPSs; and administrative controls like separation of duties, data classification, and auditing.

Detective controls describe any security measure taken or solution that’s implemented to detect and alert to unwanted or unauthorized activity in progress or after it has occurred. Physical examples include alarms or notifications from physical sensor (door alarms, fire alarms) that alert guards, police, or system administrators. Honeypots and IDSs are examples of technical detective controls.

Correctivecontrols include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. Examples of technical corrective controls include patching a system, quarantining a virus, terminating a process, or rebooting a system. Putting an incident response plan into action is an example of an administrative corrective control.

The table below shows how just a few of the examples mentioned above would be classified by control type and control function.

CONTROL FUNCTIONS

Preventative

Detective

Corrective

CONTROL TYPES

Physical

Fences, gates, locks

CCTV and surveillance camera logs

Repair physical damage, re-issue access cards

Technical

Firewall, IPS, MFA solution, antivirus software

Intrusion detection systems, honeypots

Patch a system, terminate a process, reboot a system, quarantine a virus

F5 Labs Security Controls Guidance

To provide threat intelligence that’s actionable, F5 Labs threat-related content, where applicable, concludes with recommended security controls as shown in the following example. These are written in the form of action statements and are labeled with control type and control function icons. They’re meant to be a quick, at-a-glance reference for mitigation strategies discussed in more detail in each article.

Security practitioners implement a combination of security controls based on stated control objectives tailored to the organization’s needs and regulatory requirements. Ultimately, the goal of both control objectives and controls is to uphold the three foundational principles of security: confidentiality, integrity, and availability, also known as the CIA Triad.

App Tiers Affected:

Subscribe and get threat intelligence updates from security leaders with decades of experience

Develop a richer understanding of your security environment with only one email per week.

Always have the latest security research and analysis at your fingertips.

Strategic insights from CISO-level experts give you deeper analysis than your peers who only rely on threat reports.

Great! You should receive your first email shortly.

Unsubscribe at any time. We will never use your email to sell to you or try to get you to use our product. You'll only receive security reports and analysis.

About the author

Debbie Walkowski

As a Security Threat Researcher for F5 Labs, Debbie specializes in writing threat-related educational content as well as blogs, articles, and comprehensive research reports about application threat intelligence. She has worked for F5 for 10 years and has more than 20 years’ experience in the technology industry as a technical writer. She holds SANS GIAC Information Security Professional (GISP), GIAC Security Essentials (GSEC), and GIAC Security Fundamentals (GISF) certifications. Her bachelor’s degree from the University of Washington is in scientific and technical communication with an emphasis in computer science. She is the author of 18 technology books published by IDG Books, SAMS, QUE, and Alpha Books.

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.

image/svg+xml

Subscribe and get threat intelligence updates from security leaders with decades of experience

Develop a richer understanding of your security environment with only one email per week.

Always have the latest security research and analysis at your fingertips.

Strategic insights from CISO-level experts give you deeper analysis than your peers who only rely on threat reports.

Subscribe and get threat intelligence updates from security leaders with decades of experience

Unsubscribe at any time. We will never use your email to sell to you or try to get you to use our product. You'll only receive security reports and analysis.